diff options
| -rw-r--r-- | modules/ssl/mod_ssl.c | 4 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_init.c | 8 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_pphrase.c | 49 | ||||
| -rw-r--r-- | modules/ssl/ssl_util.c | 34 |
4 files changed, 50 insertions, 45 deletions
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index fc29d097be..4abd82c94c 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -112,8 +112,8 @@ static const command_rec ssl_config_cmds[] = { "SSL Server CA Certificate Chain file " "(`/path/to/file' - PEM encoded)") SSL_CMD_SRV(PKCS7CertificateFile, TAKE1, - "PKCS#7 file containing server certificate and chain" - " certificates (`/path/to/file' - PEM ecnoded)") + "PKCS#7 file containing server certificate and chain" + " certificates (`/path/to/file' - PEM ecnoded)") SSL_CMD_ALL(CACertificatePath, TAKE1, "SSL CA Certificate path " "(`/path/to/dir' - contains PEM encoded files)") diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 5a04441ae1..9487463a01 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -654,8 +654,8 @@ static void ssl_init_ctx_pkcs7_cert_chain(server_rec *s,modssl_ctx_t *mctx) int n; if (!mctx->ssl_ctx->extra_certs) - for (n = 1; n < sk_X509_num(certs); ++n) - SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n)); + for (n = 1; n < sk_X509_num(certs); ++n) + SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n)); } static void ssl_init_ctx_cert_chain(server_rec *s, @@ -668,8 +668,8 @@ static void ssl_init_ctx_cert_chain(server_rec *s, const char *chain = mctx->cert_chain; if (mctx->pkcs7) { - ssl_init_ctx_pkcs7_cert_chain(s,mctx); - return; + ssl_init_ctx_pkcs7_cert_chain(s, mctx); + return; } /* diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index d9f2e29d50..94e3605133 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -186,7 +186,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) * because this file isn't encrypted in any way. */ if (sc->server->pks->cert_files[0] == NULL - && sc->server->pkcs7 == NULL) { + && sc->server->pkcs7 == NULL) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ, "Server should be SSL-aware but has no certificate " "configured [Hint: SSLCertificateFile]"); @@ -196,28 +196,31 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) algoCert = SSL_ALGO_UNKNOWN; algoKey = SSL_ALGO_UNKNOWN; for (i = 0, j = 0; i < SSL_AIDX_MAX - && (sc->server->pks->cert_files[i] != NULL - || sc->server->pkcs7); i++) { - if (sc->server->pkcs7) { - STACK_OF(X509) *certs = ssl_read_pkcs7(pServ, sc->server->pkcs7); - - pX509Cert = sk_X509_value(certs, 0); - i = SSL_AIDX_MAX; - } else { - apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath)); - if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, - "Init: Can't open server certificate file %s", - szPath); - ssl_die(); - } - if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Init: Unable to read server certificate from file %s", szPath); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); - ssl_die(); - } - } + && (sc->server->pks->cert_files[i] != NULL + || sc->server->pkcs7); i++) { + if (sc->server->pkcs7) { + STACK_OF(X509) *certs = ssl_read_pkcs7(pServ, + sc->server->pkcs7); + pX509Cert = sk_X509_value(certs, 0); + i = SSL_AIDX_MAX; + } else { + apr_cpystrn(szPath, sc->server->pks->cert_files[i], + sizeof(szPath)); + if ((rv = exists_and_readable(szPath, p, NULL)) + != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, + "Init: Can't open server certificate file %s", + szPath); + ssl_die(); + } + if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Init: Unable to read server certificate from" + " file %s", szPath); + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); + ssl_die(); + } + } /* * check algorithm type of certificate and make * sure only one certificate per type is used. diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index ef716beda4..5467a1960d 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -268,44 +268,46 @@ const char *ssl_asn1_table_keyfmt(apr_pool_t *p, STACK_OF(X509) *ssl_read_pkcs7(server_rec *s,const char *pkcs7) { PKCS7 *p7; - STACK_OF(X509) *certs; + STACK_OF(X509) *certs = NULL; FILE *f; f = fopen(pkcs7, "r"); if (!f) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Can't open %s", pkcs7); - ssl_die(); + ssl_die(); } p7 = PEM_read_PKCS7(f,NULL,NULL,NULL); if (!p7) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, - "Can't read PKCS7 object %s", pkcs7); - ssl_log_ssl_error(APLOG_MARK, APLOG_CRIT, s); - exit(1); + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s, + "Can't read PKCS7 object %s", pkcs7); + ssl_log_ssl_error(APLOG_MARK, APLOG_CRIT, s); + exit(1); } switch (OBJ_obj2nid(p7->type)) { case NID_pkcs7_signed: - certs = p7->d.sign->cert; - break; + certs = p7->d.sign->cert; + break; case NID_pkcs7_signedAndEnveloped: - certs = p7->d.signed_and_enveloped->cert; - break; + certs = p7->d.signed_and_enveloped->cert; + break; default: - ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s, - "Don't understand PKCS7 file %s", pkcs7); - ssl_die(); + ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s, + "Don't understand PKCS7 file %s", pkcs7); + ssl_die(); } if (!certs) { - ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s, - "No certificates in %s", pkcs7); - ssl_die(); + ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_NOERRNO, 0, s, + "No certificates in %s", pkcs7); + ssl_die(); } + fclose(f); + return certs; } |